Turning Tables: ID'ing The Hacker Behind The Keyboard

How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense

Second in an occasional series on knowing the attacker.

Even if you learn the name and get a photo of the Chinese hacker sitting behind the keyboard and siphoning your valuable intellectual property, it's unlikely to lead to his arrest. But there are ways to use that information to put the squeeze on the attacker and his sponsors.

After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin. Leading that charge is CrowdStrike, the startup that aims to aggressively profile, target, and, ultimately, help unmask sophisticated cyberattackers.

Trend Micro also has been drilling down on the characteristics of different types of attackers, recently profiling the East Asian cyberespionage attacker versus the Eastern European cybercrime attacker. This shift toward getting to know the enemy behind the malware is a new way to put up better defenses from these inevitable attacks.

"I feel like we are at a tipping point," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We're at a place in the industry where we are about to throw away 30 years of thinking on this issue ... Companies are willing to consider other strategies, and they are dissatisfied and really pissed off with the fact that they've spent millions of dollars in defense and defense-in-depth and best practices, and it's still not helping. We're making the adversary earn their medals, but they are still getting in. It may take two days now instead of one, but that's not really a win."

But since you can't really fly to China and arrest the hacker who's siphoning the intellectual property out of your servers, it's more important to know what he's after rather than who he is, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "You want to know what they are after. That's the end of it," Hoglund says. "If incident response has a picture to show the board that helps validate what they're doing ... at the end of the day, does it really matter? The guy who's after military technology, or your high-value IP on the commercial side -- that's the game. [He] might be interested in M&A activities or other work in another country to get a strategic advantage."

Hoglund says the best way to beat the APT is incident-response and least-privilege user controls. "If a company has an incident-response [program] in place and a good security policy with least privileges, they can put a serious dent in APT. That's a fact," Hoglund says. "It's also a fact that most companies don't do that."

So how can you use intelligence about the bad guy targeting you to better protect your organization?

Alperovitch says the key is finding out what company or organization is benefiting from the information that the attacker is stealing. "While we're interested in the guy behind it, it's also who's ultimately benefiting from the information. Maybe it's this guy in China [doing the hacking], but a state-owned oil and gas firm is getting to better compete in the marketplace" with the information he's grabbing for them, Alperovitch says.

Once you pinpoint the company sponsoring or getting the stolen intelligence, you have some legal options. "If you know the company, you can sue them. You can pick a jurisdiction because a lot of them are multinational in scope," he says.

Another weapon you can use: deception. If the utility firm is snooping on negotiation information, you can then plant phony data that derails their cyberespionage operation, he says.

Even having a photo of the culprit hacker and his identity can help disrupt a cyberespionage or cybercrime operation. "You can create pain for these guys by publicizing who they are and taking them out of business, if you will," Alperovitch says. "If their picture is flashed all over the news media, they are not going to work in that industry much longer, and it could cause concern with whoever's employing them ... The more you can expose cybercrime actors, [for example], the harder it is for them to do business with others."

It's all about making it painful and expensive for them to operate. Profiling your attacker can help you understand how they move within your network, for instance, says Tom Kellermann, vice president of cybersecurity at Trend Micro. "Most hackers have specific cyber kill-chains they like to employ. They don't deviate much, with the exception of delivery and exploit variables," he says. "Understanding how they move laterally within your system, for example, and what destination IPs and URLs they are using so the command-and-control is found ... Once you achieve that, it's how can you make discomfort for them? Make it more resource-intensive for them."

Still missing from the equation, he says, is applying pressure to the attackers' infrastructure suppliers, such as the hosting companies that house their servers and the alternative payment channels that breed money-laundering. "Those are the only ways to force them to stop hacking and do their own damage control," Kellermann says.

Knowing who your attacker is can help in some ways, but there are limitations, says Jeffrey Carr, CEO of Taia Global. "It helps when you're a large corporation with millions of nodes on your network and lots of files, and you have no idea what is strategically valuable and what isn't ... it does help you understand who wants what you have," Carr says.

It can also help drive home to your users the need to lock down data and devices while traveling overseas and doing business in countries like China or Russia, for example, he says. "They have to understand the insider threat. They have to make sure their executives [understand they can] be individually targeted when they travel," Carr says. "So if they are leaving the office with a laptop or cell and then come back and replug into the network, it doesn't matter if you are defending against spear-phishing [attacks]. You just got owned because of a senior executive" who got infected overseas, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

It's a very large leap from identifying a hacker in China to connecting said hacker back to a multinational corporation in any way that will stand up in court. -ŠAnd if you fail to make your case, you may find your self hacked and countersued. -ŠThat's staring to get pretty far adrift from any company's core competencies.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.